Book Read Free

Cyber Warfare

Page 5

by Bobby Akart


  Sullivan notes that this is a fundamental difference in how China acts in the cyber arena, when compared to the U.S.

  "When the US spies, it does so to level the playing field. In a well-known example, the U.S. spied on Airbus to prevent bribes in the Middle East. But, according to the US, no intellectual property was transferred from Airbus to Boeing. China doesn't see the distinction," he said.

  This is an example of how the usual rules and treaties that apply to armed conflicts and intelligence have not been extended to cyber warfare.

  "There aren't any international agreements governing peacetime intelligence gathering," Sullivan said. "Cyber technologies have changed the nature of intelligence gathering. And perhaps it's time to write some new treaties of what's acceptable and what's not."

  Is there a red line that can be crossed?

  The need for such treaties in the cyber realm was underlined in 2015 after the breach at the US Office of Personnel Management (OPM), perhaps the most high-profile case of cyber-espionage in recent times.

  The OPM revealed that over 21.5 million federal records had been stolen, including Social Security numbers, education history, employment history, and financial background of federal employees. Later in 2015, the OPM admitted nearly six million fingerprints were also obtained via a different cyber intrusion. FBI Director James Comey said in a US Senate appearance that even his information was likely to have been compromised, showing the full scope of the breach.

  Unsurprisingly China is believed to have carried out the hack, although it was not publically accused of doing so.

  A senior research fellow for military influence at the Royal United Services Institute explained the sheer scale of the attack led to a serious debate in the West about how to deal with China and the growing cyber crisis.

  Perhaps it is time to draw a red line about what is acceptable. Although many argue the U.S. must be cautious about the extent to which this might constrain its activities. There is a sense that the scale and frequency of attacks apparently emanating from China has reached a level where, even if the purpose is traditional espionage, it is no longer acceptable and requires a response in kind.

  China has denied any involvement in the OPM hack and was able to make its accusations directed at the U.S. alleging state-sponsored spying. Chinese foreign ministry spokesman Lu Kang said, "maybe it is better to clarify one's matters before rushing to make unfounded accusations against others, so as to make oneself sound more convincing.”

  Perhaps Lu was referring to the disclosures made by former NSA contractor Edward Snowden in 2013. The whistle-blower released a trove of classified documents detailing mass surveillance programs run by the US and UK governments.

  The Snowden disclosure changed how the U.S. was perceived around the world and made it hard for the politicians in Washington to act with moral superiority. Much of the American moral high ground was lost through Snowden when the material demonstrated the extent to which the NSA was collecting enormous amounts of data.

  As of this writing, President Obama and Chinese President Xi Jinping are meeting to amid growing tensions over Chinese cyber attacks. The President is attemptting to establish a red line—the nation’s infrastructure.

  Has the President shown his hand as to the biggest threat this country faces?

  RUSSIA

  Russia is well known for its military mentality. Remember the cold war? It has taken nearly a decade for the world to realize the true threat of cyber war. Today, the world is dependent on computers and networks much more than we were eight years ago when we experienced the NATO-Serbia cyber war. Russia opened the eyes of the world to the looming threat of cyber warfare after the Estonia incident. Now Russia’s state-sponsored cyber forces opened up a new front in a cyber war.

  Reports indicate Russian Cyber Forces unleashed a large-scale cyber attack on Radio Free Europe. Also, there is some evidence of the use of BotNets in politically motivated distributed denial-of-service (DDoS) attacks. This raises questions about Russia’s real cyber warfare ambitions Russia’s cyber warfare doctrine is designed to be a force multiplier along with more traditional military actions including potential weapons of mass destruction attacks. A force multiplier is a military term that describes a weapon or tactic that, when added to and employed along with other combat forces, significantly increases the combat potential of that force.

  Like all offensive cyber strategies, it includes the capability to disruption the information infrastructure of their enemies. This doctrine includes plans that would disrupt financial markets, military, and civilian communications capabilities as well as other parts of the enemy’s critical infrastructure prior to the initiation of traditional military operations. They also are designed to weaken the economy of their adversary further decreasing their adversary’s ability to respond to the combined threat. Offensive cyber weapons receive considerable attention in the Russian cyber warfare doctrine. This coupled with advanced research and development puts them on the leader board behind China as a cyber threat.

  Cyber attacks and cyber weapons are now recognized as strategic arms and in effect are useful offensive weapons. As the Russians have proven in Georgia, Estonia and Ukraine, cyber attacks can harm or even paralyze a country and, therefore, have equivalent implications as that of physical military strikes. Not all cyber attacks leave behind forensic evidence that can be used to assess the capabilities of the attacker. With all the attacks attributed to Russia, there has to be significant intelligence out there about techniques, cyber weapons, and strategies that have been used in these cyber assaults.

  Cyber warfare capabilities have outpaced our legal and political systems. Russian President Vladimir Putin has blasted the U.S. for its militaristic approach to foreign policy, saying its actions were nourishing an arms race. Consider this evidence of Russia’s dedication to cyber capabilities. In 1998, Russia’s defense budget was less than $3 billion. Since that time, the Russian defense budget has been soaring, funded by substantial increases in their cyber warfare program, the budget jumped twenty-three percent in 2007 to $32.4 billion.

  An interesting point to keep in mind is that Moscow does arms business with over seventy countries, including China, Iran, and Syria. Reports indicate Russian intelligence services have a history of employing hackers from these nations to be used against the United States. For example, in 1985, the KGB hired Markus Hess, an East German hacker, to attack U.S. defense agencies in the infamous case of the Cuckoo’s Egg.

  The following is an estimate of Russia’s cyber capabilities.

  Russia’s Cyber Army:

  Military Budget: $40 Billion USD

  Global Rating in Cyber Capabilities: Tied at Number 4

  Cyber Warfare Budget: $127 Million USD

  Offensive Cyber Capabilities: Significant

  Cyber Weapons Arsenal in Order of Threat:

  •Large, advanced BotNet for DDoS and espionage

  •Electromagnetic pulse weapons (non-nuclear)

  •Compromised counterfeit computer software

  •Advanced dynamic exploitation capabilities

  •Wireless data communications jammers

  •Cyber Logic Bombs Computer viruses and worms

  •Cyber data collection exploits Computer and networks reconnaissance tools

  •Embedded Trojan time bombs (suspected)

  Cyber Force size: 7,300 +

  The government in Moscow has established close ties with the Russian Business Network, which is thought to own and operate the second largest BotNet in the world. Intelligence suggests there are organized groups of hackers tied to the Russian Federal Security Bureau. The FSB is the internal counterintelligence agency of the Russian Federation and successor to the Soviet KGB. Russia is often overlooked as a significant player in the global software industry although it produces two hundred thousand scientific and technology graduates each year. The number of graduates are as many as India, which has five times the population.

  A
study by the World Bank states that more than one million people are involved in software research and development. Russia has the potential to become one of the largest internet technology markets in Eurasia. The Russian hacker attack on Estonia in 2007 rang the alarm bell. Nations around the world can no longer ignore the advanced threat that Russia’s cyber warfare capabilities have today and the ones they aspire to have shortly.

  From this information, one can only conclude that Russia has advanced capabilities and the intent and technological capabilities necessary to carry out cyber warfare anywhere in the world at any time.

  IRAN

  Iran has been steadily developing its cyber warfare capabilities for a number of years and now poses a significant threat to government agencies and critical infrastructure companies around the world, according to a report entitled Operation Cleaver released by U.S. cyber security firm Cylance. The title alludes to the custom software used in Iranian hacking operations, which frequently uses the word cleaver in its coding.

  Operation Cleaver has targeted the military, oil and gas, energy and utilities, transportation, airlines, airports, hospitals and aerospace industries of over fifty entities in sixteen countries. If the operation is left to continue unabated, it is only a matter of time before the Iranians impact the world’s physical safety, Cylance said in its eighty-seven page report.

  Iran has officially denied involvement in the hacking campaigns. "This is a baseless and unfounded allegation fabricated to tarnish the Iranian government image, particularly aimed at hampering current nuclear talks," said Hamid Babaei, spokesman for Iran's mission to the United Nations, in an interview with Reuters.

  In light of how ambitious Iran's hacking campaigns have become, the report makes a bold claim: Iran is the new China. While Iran's cyber capabilities aren't anywhere near those of Russia, China, or the United States, their program is advancing with the help of the Chinese and Russia.

  Iran's hacking campaigns began in earnest in 2011, in retaliation for the cyber attacks that were launched against the country's nuclear program from 2009-2012 by the U.S. and Israel.

  The Iranians have learned cyber warfare doesn't require a significant number of troops or a superior set of bombs. In the event of a conflict, Iran will be able to use its cyber technology to shut down critical infrastructure around the world. Following the Russian template, Iran is enhancing its cyber warfare capabilities more for military readiness.

  Experts say during Operation Pillar of Defense, Israeli websites faced a larger, more coordinated, and more skilled series of cyber attacks than during similar conflicts. At the same time Hamas, with the assistance of its state sponsor Iran, was trading fire with the Israel Defense Forces, hackers from all over the world launched a string of coordinated attacks on electronic targets in Israel.

  According to Gadi Aviran, CEO of the Netanya-based open-source intelligence analysis firm SenseCy/Terrogence, hackers have used the last two Israeli military operations in Gaza as an opportunity to strike at the country. But this time, their efforts revealed a greater level of capability and expertise.

  "It was much more profound than previous operations," said Aviran. "The cyber attack was well-organized, had a lot of traction, and it used some more advanced techniques than we saw before. It was a logical step in their cyber-evolution."

  This meant a greater frequency of typically unsuccessful or short-lived acts of web vandalism, like the replacement of a web page with a picture of Adolf Hitler or Hezbollah leader Hassan Nasrallah, or attempted data bombs or denial of service attacks. But hackers did manage to overwhelm and slow down an important Israeli internet service provider — a nearly unprecedented accomplishment. In total, almost three thousand Israeli websites were defaced during the attacks, while several databases were leaked online.

  The vast majority of attacks didn't originate in Gaza or the West Bank. Many came from hundreds or even thousands of miles from Israel's borders, through surrogates like Morocco and Indonesia.

  Iran seems especially determined to prove its cyber capabilities against Israel. With Iran building up its cyber-offensive capabilities during the past decade significantly, Israel now considers Russia, China, and Iran to be the sources of the most aggressive and worrying attacks against its online and electronic infrastructure.

  Most Russian-based attacks are criminal in nature — attempts to steal credit card numbers or bank account information. China has a broad-based hacking strategy that involves efforts against ostensibly friendly or at least non-hostile countries, as when Chinese-based hackers attempted to steal information about Israel's Iron Dome missile interceptor system in 2011 and 2012.

  Iranian-based hacking is different in nature. Unlike Russia or China, the Iranian government is politically and ideologically opposed not just to Israeli policy, but to the country's very existence. Hacking originating in Iran is aimed at directly undermining Israel in a way that Russian or Chinese hacking typically isn't.

  Iran made cyber capabilities a top defense priority after the Stuxnet computer bug, a joint project of Israel and the U.S. that infiltrated and sabotaged Iran's nuclear program. The Iranian government realized that its enemies had brought the fight to a new battlefield and established a dedicated cyber command in 2011 as a result.

  There is a precedent for Iran using online Palestinian front groups as a front for anti-Israel activities. In 2013, a group called Qods Freedom, which claimed to be Palestinian, was found responsible for the extensive denial of service attacks on Israeli sites in July and August of that year. But their online vandalism included Arabic mistakes that no native speaker would make, using a tile set that SenseCy determined could only have been produced by a Persian-language keyboard. Qods Freedom also used the same defacement signature as two Iranian groups.

  According to the reports, the Hamas-linked Izz al-Din Al Qassam Cyber Fighters were also a product of the military strategy in Tehran.

  Iranian hacking is a multi-faceted enterprise. It encompasses hidden proxies like Qods Freedom — but also government-backed, semi-independent groups, like the very proficient Ashiyane Digital Security Team, and internet based subsidiaries of Iranian-supported foreign militant groups, like Cyber Hezbollah.

  Iranian-based hackers' capability seems to be catching up to their ambitions. In February of 2014, the Wall Street Journal reported that Iran-based hackers had so deeply infiltrated Navy and Marine Corps unclassified web systems that it would take four months to dislodge them fully.

  In 2015, as Iran negotiates a nuclear agreement with the U.S. and its partners, it hasn't scaled back its asymmetrical ambitions — whether on Iraq's sectarian battlefields or on Israeli and American web servers.

  NORTH KOREA

  Two entities undertake North Korean cyber operations—the Korean People’s Army General Staff Department (GSD) and the Reconnaissance General Bureau (RGB). According to South Korean government analysis, the DPRK employs six thousand cyber warriors in North Korea.

  In 2009, the RGB was formed as a consolidation of various intelligence and special ops units that previously existed throughout the North Korean government. This included portions of the North Korean military apparatus tasked with political warfare, foreign intelligence, propaganda, subversion, kidnapping, special operations, and assassinations. The RGB answers directly to the National Defense Commission and Kim Jong-un in his role as supreme commander of the Korean People’s Army.

  The RGB is now responsible for extensive operational cyber missions that assist the government in achieving the objectives of its political provocations. The cyber units most frequently linked to RGB are Unit 121 and Lab 110. The English translation—Unit or Lab—does not accurately reflect their importance within the North Korean military bureaucracy. There are four bureaus comprising the RGB—1st Operations Bureau, 2nd Reconnaissance Bureau, 3rd Foreign Intelligence Bureau, and 6th Technical Bureau. Unit 121 and Lab 110 would be subordinate to or synonymous with the 6th Technical Bureau. It is also likely that the 3rd
Foreign Intelligence Bureau has a cyber espionage component as well.

  Unit 121 has been typically linked to the DarkSeoul attack. In March of 2013, three South Korean broadcast networks, and a major bank suffered cyber attacks via malware known as DarkSeoul. The malware infected the computer systems so extensively, most had to be replaced and large volumes of data were lost. Because the attacks were routed through proxies located in China, attribution to the North Koreans was not possible.

  Lab 110 has been accused of using a bogus information technology company in Shenyang to sell malicious software to South Korean customers. The exact operational relationship between Unit 121 and Lab 110 is not known. There is a possibility that offensive cyber operations could be easily combined with human intelligence or covert operations capability for military purposes.

  In North Korea, the General Staff Department (GSD) of the Korean People’s Army (KPA) is broadly comparable to the U.S. Joint Chiefs of Staff and oversees the operational aspects of the entire KPA. As such, it has authority over numerous operational cyber units, including units tasked with political subversion, cyber warfare, and operations such as network defense. North Korea is in the process of assembling these units into an overarching cyber command and control structure. Currently, the GSD’s Operations Bureau has been attributed with conducting cyber operations, but intelligence information about the scope of these activities, as well as the various units conducting them, has been spotty.

  Kim Jong-un directly oversees the GSD’s position in government. Analysts surmise that the bulk of North Korea’s offensive cyber operations is housed in RGB, a black operations organization. Because its GSD missions stem from electronic warfare, this portends strong implications for what the North Koreans tend to target, what type of attack they rely on, and what mission they hope to achieve via cyber warfare.

  Pursuant to the claims of people who have escaped into South Korea, their primary target is Western critical infrastructure. The cyber army on Unit 121 is trained and operates for this primary purpose.

 

‹ Prev